HARDWARE 0-DAYS: PUBLISH, SELL OR HOARD? (PART I)

[Editor’s Note: This post is the first in a series of micro-blogs over four consecutive days.]

0-day security exploits are attacks that use vulnerabilities that are unknown to a vendor. They are referred to as 0-days because the vendor knows about them for zero days before the attack. This post is about the rise of 0-day exploits that utilize hardware vulnerabilities, i.e., vulnerabilities in the ISA, microarchitecture, circuit or device, to break systems. A prominent recent example of a hardware 0-day is a security attack based on the DRAM “row hammer” reliability problem [ROWHAMMER].

We know a few things about software 0-days: software vulnerabilities that can be turned in robust exploits are hard to find, but once discovered they can be converted into a reliable exploit within a few weeks of the discovery. The chances two different entities discovering the same software 0-day vulnerability is low (roughly 5%), and the average lifetime for a 0-day is roughly 6.5 years [RAND, SIPA]. There are wide range of prices for 0-days from a few thousand dollars to millions.[ZERODIUM].

My view is that software 0-days will become even harder to find and/or exploit going forward. This is not only because of the recent unprecedented leaks of software 0-days [LAWFARE] but also due to improvements in software security (including hardware support for software security) as evidenced by the increasing complexity of software attacks.

Hardware 0-day exploits are likely to be even harder to find and exploit compared to software 0-days. Hardware validation is more thorough than software which leaves fewer bugs for attackers to exploit in shipped products. But a hardware 0-day vulnerability/exploit is a non-zero probability event that carries very bad exposure to risk to both the users and vendors because of the difficulty of finding and/or distributing a mitigation: just imagine the danger from an unpatchable hardware 0-day vulnerability in chips used in cars or banks.

This brings us to the question of this post: what should one do when they discover a hardware 0-day? The situation here is loosely analogous to discovering a formula for a deadly biological agent. We might want to keep it a secret while we work on an antidote. This, however, may not be the best strategy because a) secrets don’t remain secrets forever, and b) a defense may require more resources and/or a different kind of thinking. What happens when the formula leaks out or the agent breaks out? Without a cure, keeping the discovery secret can severely hurt survival chances of the entire population.

In addition to this difficult issue there are financial, legal and business issues concerning hardware 0-days that differ based on who you are and what your objectives are.

What should you do if you are a government agency?

What should you do if you are an academic?

How should companies respond to a hardware 0-day?

In three blog posts over the next three days, I will discuss each of these scenarios.

About the author: Simha Sethumadhavan is an associate professor at Columbia University. His interests are in computer architecture and computer security. He is the founder of Chip Scan Inc. His website is: http://www.cs.columbia.edu/~simha

Subscribe

Get E-Mail Alerts, enter your Email:

ACM SIGARCH

SIGARCH serves a unique community of computer professionals working on the forefront of computer design in both industry and academia. It is ACM’s primary forum to interchange ideas about tomorrow’s hardware and its interactions with software.